Security Aspects of Video Conference Products - Stephan Verbücheln Zürich, April 15, 2020 - cnlab
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Security Aspects of Video Conference Products
Stephan Verbücheln
Zürich, April 15, 2020
cnlab security AG © 2020Product Overview
Product Name Vendor Detailed information
Skype for Business (Lync) Microsoft Part of Microsoft Office. Website recommends Teams.
Teams Microsoft https://products.office.com/en-us/microsoft-teams/group-chat-software
Facetime Apple Part of macOS and iOS. No separate website.
Hangouts / Google Meet Google https://hangouts.google.com, https://meet.google.com
Skype (classic) Microsoft https://www.skype.com
WebEx Cisco https://www.webex.com
Zoom Zoom https://zoom.us
Jitsi Meet open source (8x8) https://jitsi.org/jitsi-meet
Nextcloud Talk open source (Nextcloud) https://nextcloud.com/talk/
2Considered Criteria
We considered products with the following minimum functionality: Audio, video, screen sharing.
In addition, we are comparing the following aspects:
User Authentication Client Setup (Including Guests)
▪ Accounts, integration to AD/LDAP ▪ Supported platforms
▪ Authentication methods ▪ Client software required
▪ Invitation of external participants ▪ Proprietary browser plugin required
▪ Runs in standard browser (WebRTC)
Data Sovereignty
▪ Cloud-based service Proxy Requirements for Clients
▪ Servers on premise ▪ HTTP, WebSocket, WebRTC
▪ Data encryption ▪ non-standard TCP or UDP ports
3Exclusions
Selection of products
There is a large number of products which implement video conferencing. This includes consumer messenger
apps that converge into conference products since they started supporting calls with multiple users.
In this document, only conference solutions targeting business use cases have been considered. A more
extensive list of conference solutions can be found in Wikipedia:
https://en.wikipedia.org/wiki/Comparison_of_web_conferencing_software
End-to-end encryption
Our focus is on business conferences with more than two participants. For these configurations, we assume
that the voice and video data is available in plaintext on the conference server (i.e. no end-to-end
encryption).
If a solution allows for hosting on premise, plaintext data on the conference server is considered acceptable.
4Skype for Business (formerly Lync) (Microsoft)
Skype for Business is the telephony and video conference solution in the Microsoft Office/Exchange
environment. It was originally named Lync and was rebranded after Microsoft acquired the “Skype” brand. It is
not to be confused with the Skype messenger targeting consumer audiences.
Microsoft is asking users to switch to Teams, which is developed with Office 365.
Advantages
▪ integrated in Office/Exchange ecosystem
▪ Skype for Business servers operated on premise
▪ dial-in with phone number possible
Disadvantages
▪ Proprietary client software or browser plugin required
▪ Microsoft developers are focusing on Teams
5Teams (Microsoft)
Teams is a new collaboration software developed by Microsoft for the Office 365 cloud platform. The
application is a web application which can be run in browsers or locally as Electron app.
Advantages
▪ integrated in Office ecosystem
▪ dial-in with phone number possible
▪ runs in standard browsers without plugin (WebRTC)
▪ works via HTTP connections
Disadvantages
▪ cloud-based, servers not on premise
6Facetime (Apple)
Facetime is the default video telephony application on Apple devices (Macs, iPhones, iPads). It is also capable
of conference calls.
Advantages
▪ works out of the box
Disadvantages
▪ Client software required
▪ only available for Apple devices
▪ cloud-based, servers not on premise
▪ dependent on Apple ID accounts
7Hangouts / Google Meet (Google)
Hangouts is the video conference application within the Google/GMail/Android ecosystem. Google has
announced to end the Hangouts some time ago, the conference functionality is available as Google Meet. At
time of writing, both services are still online.
Advantages
▪ works out of the box with Google accounts
▪ runs in standard browsers without plugin (WebRTC)
▪ works via HTTP connections
Disadvantages
▪ cloud-based, servers not on premise
▪ dependent on Google accounts
8Skype (Classic)
Skype is one of the oldest instant messaging and video call applications. It is also capable of video
conferences with multiple participants. Skype has been acquired by Microsoft.
Advantages
▪ free to use
Disadvantages
▪ cloud-based, servers not on premise
▪ account required (temporarily suspended)
▪ requires fat client or supported browser (Edge)
9WebEx (Cisco)
WebEx is a business communication solution provided by Cisco.
Advantages
▪ invitation of external participants without accounts
▪ dial-in with phone number possible
▪ runs in standard browsers without plugin (WebRTC)
▪ works via HTTP connections
Disadvantages
▪ cloud-based, servers not on premise
10Zoom
Zoom is an easy to use video conferencing solution that has gained popularity in recent time.
Advantages
▪ free basic functionality for non-commercial use
▪ easy to use
Disadvantages
▪ proprietary client software required
▪ cloud-based, servers not on premise
▪ bad track record of software quality and problem handling [summary]
▪ banned by a number of authorities and by some companies
11Jitsi Meet
Jitsi is an open source project developing a number of messaging and video tools since 2002.
Advantages
▪ open source software, actively developed
▪ server can be operated on premise (easy setup on a Debian-based Linux server)
▪ runs in standard browsers without plugin (WebRTC)
▪ works via HTTP connections
Disadvantages
▪ no integration with other applications
12Nextcloud Talk
Nextcloud is an open source implementation of cloud services for self-hosting. It is written in PHP and
includes video conference functionality with the Nextcloud Talk app.
Advantages
▪ open source software
▪ hosted on premise
▪ runs in standard browsers without plugin (WebRTC)
▪ works via HTTP connections
Disadvantages
▪ complex Nextcloud infrastructure setup required
▪ limited support for free version
13Product Comparison
Product name User Authentication Data Sovereignty Client Setup (Including Proxy Requirements for
Guests) Clients
Skype for Business company accounts server on premise client software or non-HTTP connections
(Lync) (Active Directory) proprietary plugin
Teams company accounts Office 365 (SLA available) any browser (WebRTC) none (HTTP based)
(Active Directory)
Facetime Apple ID accounts cloud-based Apple device non-HTTP connections
Hangouts / Google Meet Google accounts cloud-based any browser (WebRTC) none (HTTP based)
Skype (classic) Microsoft accounts cloud-based supported browsers only non-HTTP connections
WebEx company accounts cloud-based (SLA available) any browser (WebRTC) none (HTTP based)
(Active Directory)
Zoom Zoom accounts or cloud-based insecure client non-HTTP connections
OAuth federation
Jitsi Meet random session IDs server on premise any browser (WebRTC) none (HTTP based)
Nextcloud Talk local Nextcloud server on premise any browser (WebRTC) none (HTTP based)
accounts
14Recommendations
▪ For sensitive data, we recommend a solution which is operated on premise.
− Within Microsoft Office/Exchange ecosystems, Skype for Business is an acceptable solution.
− If no infrastructure exists, setting up Jitsi Meet on premise could be worth the effort.
▪ If conferences with guests are required, a WebRTC-enabled solution is preferable. This allows guests to
join with any modern browser without installing client software or proprietary plugins.
▪ A cloud-based solution should only be considered if the handled data is not sensitive.
▪ Zoom should only be used for data which could be made public without problems for all participants. This
is due to Zoom’s bad track record of security problems. Moreover, sensitive users will already consider
installing the Zoom client software a risk.
15Thank you for your attention!
Stephan Verbücheln
stephan.verbuecheln@cnlab.ch
+41 55 214 33 36 cnlab security AG
Obere Bahnhofstrasse 32b
info@cnlab-security.ch CH-8640 Rapperswil-Jona
+41 55 214 33 40 Switzerland
cnlab security AG ©You can also read
